dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(security): add AuthDisableLoginOptions + DevAuthRoles for dev login bypass

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-11 04:26:20 -04:00
parent bc31b6a4de
commit a92ba6a10b
3 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/AuthDisableLoginOptions.cs
+18
View File
@@ -0,0 +1,18 @@
namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
/// <summary>
/// Dev/test flag: when <see cref="DisableLogin"/> is true the AdminUI bypasses the login
/// form entirely and auto-authenticates every request as <see cref="User"/> with all roles.
/// Default OFF. Never enable in production.
/// </summary>
public sealed class AuthDisableLoginOptions
{
/// <summary>Configuration section name (<c>Security:Auth</c>).</summary>
public const string SectionName = "Security:Auth";
/// <summary>When true, disable login and auto-authenticate every request. Default false.</summary>
public bool DisableLogin { get; set; }
/// <summary>The username the auto-login principal is minted with. Default "multi-role-test".</summary>
public string User { get; set; } = "multi-role-test";
}
src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/DevAuthRoles.cs
+18
View File
@@ -0,0 +1,18 @@
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
/// <summary>
/// The full canonical role set granted to the auto-login dev principal: every
/// <see cref="AdminRole"/> plus the appsettings-only control-plane role "Operator"
/// (required by the DriverOperator policy). Centralised so adding an AdminRole
/// automatically widens the grant.
/// </summary>
public static class DevAuthRoles
{
/// <summary>Operator role string — not an <see cref="AdminRole"/> enum member; used by the DriverOperator policy.</summary>
public const string Operator = "Operator";
/// <summary>All roles granted to the auto-login principal.</summary>
public static readonly string[] All = [.. Enum.GetNames<AdminRole>(), Operator];
}
tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/DevAuthRolesTests.cs
+19
View File
@@ -0,0 +1,19 @@
using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
using ZB.MOM.WW.OtOpcUa.Security.Auth;
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
public class DevAuthRolesTests
{
[Fact]
public void All_covers_every_AdminRole_plus_Operator()
{
foreach (var name in Enum.GetNames<AdminRole>())
DevAuthRoles.All.ShouldContain(name);
DevAuthRoles.All.ShouldContain("Operator");
DevAuthRoles.All.Length.ShouldBe(Enum.GetNames<AdminRole>().Length + 1);
DevAuthRoles.All.Distinct().Count().ShouldBe(DevAuthRoles.All.Length);
}
}